From owner-freebsd-ports-bugs@FreeBSD.ORG Wed May 5 18:50:02 2010 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AE3031065674 for ; Wed, 5 May 2010 18:50:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 7460A8FC1E for ; Wed, 5 May 2010 18:50:02 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o45Io2wt039485 for ; Wed, 5 May 2010 18:50:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o45Io2fF039484; Wed, 5 May 2010 18:50:02 GMT (envelope-from gnats) Resent-Date: Wed, 5 May 2010 18:50:02 GMT Resent-Message-Id: <201005051850.o45Io2fF039484@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Niels Heinen Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 19F72106566B for ; Wed, 5 May 2010 18:42:32 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [69.147.83.33]) by mx1.freebsd.org (Postfix) with ESMTP id 0B15F8FC17 for ; Wed, 5 May 2010 18:42:32 +0000 (UTC) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o45IgVF3021864 for ; Wed, 5 May 2010 18:42:31 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.3/8.14.3/Submit) id o45IgV8d021863; Wed, 5 May 2010 18:42:31 GMT (envelope-from nobody) Message-Id: <201005051842.o45IgV8d021863@www.freebsd.org> Date: Wed, 5 May 2010 18:42:31 GMT From: Niels Heinen To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: ports/146337: [security] devel/lxr XSS vulnerabilities X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 May 2010 18:50:02 -0000 >Number: 146337 >Category: ports >Synopsis: [security] devel/lxr XSS vulnerabilities >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed May 05 18:50:02 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Niels Heinen >Release: 8.0-STABLE >Organization: >Environment: >Description: >From the bug report: There are several cross-site scripting vulnerabilities in LXR. These vulnerabilities could allow an attacker to execute scripts in a user's browser, steal cookies associated with vulnerable domains, redirect the user to malicious websites, etc. This PR is to request a port upgrade. A VuXML entry will be committed shortly and therefore the port will be marked vulnerable until this PR is solved. >How-To-Repeat: N/A >Fix: Two actions are required: 1) Please upgrade to port to version 0.9.8 (fixes CVE-2009-4497) 2) Apply the following patch: http://lxr.cvs.sourceforge.net/viewvc/lxr/lxr/lib/LXR/Common.pm?r1=1.63&r2=1.64 Thanks in advance! Niels >Release-Note: >Audit-Trail: >Unformatted: